Support

Configuring Websense to communicate with Active Directory

Article Number: 000001177
1177
Products: V-Series, Web Security and Filter, Web Security Gateway, Web Security Gateway Anywhere
Versions: 7.0, 7.1, 7.5, 7.6

Problem Description

My network includes Windows Active Directory as its directory service. I would like to enable user and group-based filtering in Websense. How do I configure Websense to communicate with Active Directory?
 

Resolution

If your network is in Interim Mode, where you are migrating domain controllers from Windows NT to Windows 200x, and you still have NT domain controllers, configure Websense software to communicate with Windows NT Directory / Active Directory (Mixed Mode) to enable user and group-based filtering.

Likewise, if you are using Windows Active Directory in Mixed Mode, select the same option. "Mixed Mode" means that your Directory Service is configured to allow use of Windows NT domain controllers.

The default directory service option for Websense software is to use Windows NT Directory / Active Directory (Mixed Mode). If this is appropriate for your network environment, no configuration is necessary.

To verify which directory service your Websense software is currently configured to use, open Websense Manager and go to Settings > Directory Services.
 

NOTE You can be in Mixed Mode even with no Windows NT domain controllers in your network. If this is the case, configure Websense software to communicate with Active Directory (Native Mode). Check your domain controller settings to verify your operating mode.
Windows Active Directory (Native Mode): Basic Configuration

To configure Websense software to communicate with Windows Active Directory in Native Mode:

  1. In Websense Manager, click the Settings tab of the left navigation pane, and then select Directory Services.
  2. Mark the Active Directory (Native Mode) radio button.
  3. To identify a global catalog server for Websense software to access, click Add.
  4. Enter the IP address or name of the global catalog server or the Fully Qualified Domain Name, and the connection port that Websense software should use.
  5. To improve performance, provide the Root context that Websense software should use when searching the directory.
    • The root context must be in LDAP format, such as:
      • DC=xxxx,DC=yyyy,DC=zzzz
      • For example, if your domain is domain2.websense.com, then the correct root context is:
      • DC=domain2,DC=websense,DC=com
    • If you have specified a communications port of 3268 or 3269, then providing a root context is optional.
    • If the specified port is 389 or 636, you must provide a root context.
    • If the Root context field is left blank, Websense software begins searching at the top level of the directory service.
  6. Under Administrative Access, indicate which format you want to use to provide account information for connecting to the directory:
    • Select Distinguished name by components to provide each piece of the account information separately.
    • Select Full distinguished name to provide the account information in a single string.
  7. Enter the account that Websense software should use to connect to the directory in the format that you have selected.
    • If you selected Distinguished name by components, enter the Display name, account Password, Account folder, and DNS domain name for the administrative account. Use the common name (cn) form of the administrative user name, and not the user ID (uid) form. Note that the Account folder field does not support values with the organizational unit (ou) tag (for example, ou=Finance). If your administrative account name contains an ou tag, enter the full distinguished name for the administrative account.
    • If you selected Full distinguished name, enter the distinguished name as a single string in the User distinguished name field (for example, CN=John Smith, OU=Dept, DC=company, DC=com), and then supply the Password for that account.
  8. Enter the password for the account.
  9. Click OK to return to the Directory Services page.
  10. Repeat steps 3 - 9 to add additional global catalog servers, if necessary.

This completes the basic steps required to configure Websense software to communicate with Windows Active Directory in Native Mode. To configure custom search filters, encrypt communication between Websense software and the directory, or change the character set that Websense software used to encode LDAP information, continue with the next section. If you are finished configuring Websense software, click OK to cache your changes, and then click Save All to implement the changes.

Advanced Directory Settings

To configure additional directory settings:

  1. At the bottom of the Directory Services page, click Advanced Directory Settings.
  2. If you use custom object class types (attribute names) in your directory service, check Use custom filters. The default filter strings appear in the Filters fields.
  3. Edit the existing filter strings, substituting object class types specific to your directory. For example, if your directory uses an object class type such as dept instead of ou (organizational unit), insert a new value in the Domain Search Filter field. Attributes are always strings used in searching the directory service contents. Custom filters provide the functionality described here.
    • User Search Filter determines how User Service searches for users.
    • Group Search Filter determines how User Service searches for groups.
    • Domain Search Filter determines how User Service searches for domains and organizational units.
    • User's Groups Search Filter determines how User Service associates users with groups.
  4. To secure communications between Websense software and your directory service, check Use SSL.
  5. To determine which character set Websense software uses to encode LDAP information, select UTF-8 or MBCS. MBCS, or multibyte character set, is commonly used for encoding East Asian languages such as Chinese, Japanese, and Korean.
  6. Click OK to cache your changes. Changes are not implemented until you click Save All.

Related Articles:

Notes & Warnings

For a live demonstration configuring Active Directory settings, see the first 10 minutes of the following Webinar. This Webinar also offers troubleshooting steps later in the presentation.
 
 
If you have any pre-Windows 2000 domain controllers, do not configure Websense software to communicate with the directory service using Native Mode. If your domain controllers are all running Microsoft Windows 2000 or later, even if your network environment is running in Mixed Mode, you can configure Websense to use Native Mode to gain access to advanced features.

 
Avoid having the same user name in multiple domains. If Websense software finds duplicate account names for a user, the user cannot be identified transparently.
 
While using Fully Qualified Domain name instead of Global Catalog Server IP/Hostname, if the domain name is round-robining between several Domain Controllers and one of the Domain Controller is not working any more, the lookup will time out which will cause latency issue.
 

Print print article Email email article Font Size: A A

Search

Article Rating:

Do you have any additional feedback?    close

Related Articles

Quick Links

Service Requests

How are we doing?

Provide us feedback on your experience with the Service Request portal.

provide feedback >